California’s New Data Broker Law Could Be The First Of Many

California’s leading privacy regulations just became stricter. California Governor Gavin Newsom, a Democrat, signed into law the Delete Act, which requires data brokers to delete all information they have collected about an individual at the citizen’s request. This requirement extends to “all service providers or contractors associated with the data broker” as well. Notably, citizens will not have to file repeated requests. After their first is processed, data brokers will be responsible for deleting all information of a consumer that has submitted a request at least once every 45 days, with only a few exceptions. In addition, once a consumer has filed, data brokers will be restricted in their ability to share or sell new personal information on the consumer.

While all 12 states, including California, with data privacy laws, include the right for residents to request to have their data deleted, this new bill goes beyond these past protections. Instead of having information collected directly from the person removed, the new law will require destroying all information gathered about an individual when requested.

The law also gives the California Privacy Protection Agency increased authority to regulate the industry, which will be responsible for writing and implementing the new regulations. Data brokers will also be required to register with the CPPA
PPA
, which will, in turn, make the registry public. The law is scheduled to take effect on January 1, 2026, giving the agency almost two years to write the rules. Legal challenges could delay the new regulations’ effective date.

Unsurprisingly, California is the first state in the country to pass a law like this with its history of ambitious data privacy legislation. The successful effort will likely inspire copycats elsewhere in the U.S., particularly in other liberal-leaning states. This happened with California’s first data privacy legislation and, more recently, with the state’s climate disclosure laws. The initial bill can often serve as a template that state lawmakers use as a starting point.

Privacy advocates will be wary of efforts by industry members to join the push and pitch legislation that installs some protections but does not go as far as the original bill. This has happened with data privacy legislation, and proponents of tougher regulations for data brokers will be wary of allowing it to occur again. By targeting the states looking to act on data privacy, lobbyists can create an alternative template that other states can then look to follow rather than only following the strict measures first passed. This industry strategy can also limit the downsides of the patchwork that can occur when states have different rules by coordinating this effort across states through these industry groups.

Still, when given the choice, most businesses prefer a national standard through Congress rather than the potential array of rules that can happen when issues are left to the states. While there have been federal efforts to pass stronger data privacy legislation for years, an agreement has yet to materialize, nor does it appear likely that there will be a breakthrough soon. One sticking point is the issue of pre-emption, whether the federal requirements should be a minimum or maximum standard.

The irony is that continued success at the state level further complicates this debate. Signs of success can undercut momentum in Congress by making lawmakers feel that the issue is being handled better by the states. In addition, laws covering new ground, like those out of California, raise the bar for what Congress would have to pass if it were to be the toughest standard. California’s data broker law has started a new chapter in the conversation on data privacy regulation. It may reignite discussions in Congress, but the states remain the most likely to be able to pass new measures.

Read the full article here